The Irish Data Protection Commission (DPC) has fined Meta €265 million ($275.5 million) for the data leak that Facebook experienced in 2021 that exposed the data of millions of Facebook users.
Additionally, Meta is being subject to a number of corrective measures from the Data Protection Commission.
The Meta Platforms Ireland Limited (MPIL), the data controller for the social media network “Facebook,” was the subject of a Data Protection Commission (DPC) investigation that was concluded today with a €265 million fine and a number of corrective actions being taken. reads the press announcement from the DPC.
A hacker forum user published 533 million Facebook users’ phone numbers and personal information for free online on April 3, 2021.
The availability of the data was first reported by Alon Gal, CTO of cyber intelligence firm Hudson Rock.
The data of Facebook users from 106 countries were available for free, with over 32 million records belonging to users from the US, 11 from the UK, and 6 million users from India. Leaked data included users’ phone numbers, Facebook IDs, full names, locations, birthdates, bios, and for some accounts the associated email addresses.
Immediately after the disclosures of the data leak the Irish DPC launched an investigation of potential GDPR violations by Meta. The data were amassed by threat actors by exploiting a vulnerability fixed in 2019 that allowed data scraping from the social network.
“The company, at the time known as Facebook, said the data had been gathered by what it said were malicious actors who misused a Facebook tool called “Contact Importer” to upload a large volume of phone numbers to see which ones matched the service’s users.” reported the WSJ. “On Monday, the company reiterated that it had removed the ability to use phone numbers to scrape its services in this way in 2019.”
Now DPC concluded the investigation and argued that Meta violated the GDPR for not implementing appropriate technical and organizational measures, and not adopting the necessary safeguards as required by the European Regulation.
“The decision, which was adopted on Friday, 25 November 2022, records findings of infringement of Articles 25(1) and 25(2) GDPR. The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.” continues the press release.
Meta declared that it has made multiple changes to better safeguard users’ data since the incident took place. The Iris privacy regulator revealed it has several dozen more ongoing cases involving multiple tech giants.
After learning about the data loss, the Irish DPC immediately began looking into any GDPR violations by Meta. Threat actors used a vulnerability addressed in 2019 that permitted data scraping from the social network to gather the data.
“The company, at the time known as Facebook, said the data had been gathered by what it said were malicious actors who misused a Facebook tool called “Contact Importer” to upload a large volume of phone numbers to see which ones matched the service’s users.” reported the WSJ. “On Monday, the company reiterated that it had removed the ability to use phone numbers to scrape its services in this way in 2019.”
Now that the inquiry is complete, DPC claimed that Meta had broken the GDPR by failing to implement the proper organisational and technical safeguards and by not adopting the necessary protections as required by the European Regulation.
The decision, which was adopted on Friday, 25 November 2022, records findings of infringement of Articles 25(1) and 25(2) GDPR. The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.” continues the press release.
Meta declared that it has made multiple changes to better safeguard users’ data since the incident took place. The Iris privacy regulator revealed it has several dozen more ongoing cases involving multiple tech giants.
Suggest an edit to this article
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated...
I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK.
I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!
- JD Sports:Cyber Attack affects 10 million customers - 30 January 2023
- InfoSec – A Newbie Guide – InfoSecurity - 25 January 2023
- Apple is accused of censoring apps in Hong Kong and Russia - 22 December 2022
English
Afrikaans
Albanian
Amharic
Arabic
Armenian
Azerbaijani
Basque
Belarusian
Bengali
Bosnian
Bulgarian
Catalan
Cebuano
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Dutch
Esperanto
Estonian
Filipino
Finnish
French
Frisian
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hmong
Hungarian
Icelandic
Igbo
Indonesian
Irish
Italian
Japanese
Javanese
Kannada
Kazakh
Khmer
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latin
Latvian
Lithuanian
Luxembourgish
Macedonian
Malagasy
Malay
Malayalam
Maltese
Maori
Marathi
Mongolian
Myanmar (Burmese)
Nepali
Norwegian
Pashto
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Samoan
Scottish Gaelic
Serbian
Sesotho
Shona
Sindhi
Sinhala
Slovak
Slovenian
Somali
Spanish
Sudanese
Swahili
Swedish
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu